Manning, Snowden, Wikileaks… Recent headlines have made the
dangers of insider threats for federal agencies even more of a flashing red
light than before. The risk of intentional data breaches is a critical problem,
but certainly not the only one. The latest report from the Ponemon Institute,
the 2013
Cost of Cyber Crime Study: United States, found that more than one third of
all data security breaches at government agencies are caused accidentally by internal employees. Intentional
or not, both are problematic.

Human error as
insider threat

A study by the Privacy
Rights Clearinghouse noted not long ago that government agencies have
experienced a steady rise in data breaches caused by employees over the last
four years. In addition, employee negligence caused over 150 breaches and the
loss of more than 92.5 million records since January 2009.

A few days ago, I was delighted to see the National
Institute of Standards and Technology (NIST) release its Preliminary Cybersecurity
Framework for reducing cyber risks to critical infrastructure. And my first
read-through was pretty positive: they cover a lot of material, and I think it
will help organizations understand the full picture of security readiness. Their
tiered approach, for instance, is sound, and I’ve seen it work successfully in
other industries–e-discovery, for instance, has the EDRM Maturity Model, and
software development has the CMMI. And I’m very pleased to see such attention
paid to PII and privacy.

That said, however, I saw a few structural problems on my
second review. The Framework has a lot of noise about security policies and procedures
and not as much of a call-to-action on collaboration and threat
intelligence-sharing as I would like. It lacks any mention of proactive
forensics or proactive investigation. It contains a wealth of detail on rules
and process for ensuring information security, but very little in the way of
the means of, or requirements for, organizations to work together to fight the
good fight. And it has a major hole in its attempt to categorize threat
detection and response.

In my day job, we often discuss security tools and the respective processes that generate the requirements that demand the use of such tools. Lately, we have been debating incident response tools and processes as contrasted with forensic investigation tools and processes. Obviously, both have differing benefits that they bring to the general discipline of security. They also have differing requirements in terms of the tool sets that they require to execute those processes.

To me, the boundaries between forensic investigation and incident response have always been rather clear. Maybe slightly fuzzy at the exact interface between them, but not a huge gaping canyon of a zone of uncertainty. However, lately, I'm starting to believe that out there in the rest of the community it may not be so clear. I could be wrong...it wouldn't be the first time and I'm sure it won't be the last, especially if you ask some of my close friends.